Board involvement in cybersecurity risk management: How much oversight is enough?

Several recent data privacy and security-related incidents continue to illustrate the financial, legal and reputational consequences associated with cybersecurity risk. Companies — both private and public — are beginning to shift cybersecurity and privacy risk management from the IT department to the boardroom. The Security and Exchange Commission’s Commissioner Luis Aguilar encouraged this shift in remarks before the New York Stock Exchange in June 2014, when he called on boards of directors to take a more active and informed approach to managing cyber risk. Multiple forms of guidance — ranging from proposed Office of the Comptroller of the Currency regulations in January to National Institute of Standards and Technology’s voluntary Cybersecurity Framework developed pursuant to President Obama’s Executive Order 13636 – are advocating stricter oversight and management of cybersecurity risk.

However, as Commissioner Aguilar acknowledged, there are “various mechanisms that boards can employ to close the gap in addressing cybersecurity concerns” and “there is no ‘one-size-fits-all’ way to properly prepare for the various ways a cyber-attack can unfold.” Therefore, many companies, both public and private, are struggling to determine the nature and extent to which their boards should be involved in managing such risk. How can boards of directors balance their fiduciary duties to provide effective oversight and risk management, without interfering with the management and operation of the company by senior executives and employees?

As companies struggle with these questions, the following are a couple of useful themes to keep in mind:

Know your board’s limitations and expectations

Boards micromanage at their own peril, particularly when faced with a lack of relative expertise and resources compared to their companies. A board should provide oversight to ensure that an effective risk management and governance structure is in place, but not directly manage the company. For example, a board may question management about the process through which a particular framework was developed and the competency of the individuals overseeing it, but it is not the board of directors’ responsibility to then develop an alternative framework. Boards should develop a basic understanding of cybersecurity and privacy risks facing the company through reports from senior management and others. Where necessary or appropriate, a company might include a cyber-expert on the company’s board of directors or retain one to provide regular reports that are discussed at board meetings. In short, however, a board’s role is not to steer the ship, but to make sure the ship has the right captain and crew and that the captain and crew have sufficient resources.

Assign specific responsibility

Every company is different. Depending on a company’s industry, size, board makeup and overall risk, it may make sense to assign cybersecurity responsibility to the full board. Alternatively, boards may assign responsibility to smaller committees. If so, boards should select one committee with responsibility for overseeing and understanding cybersecurity issues, controls and procedures. Existing audit or governance committees could be appropriate choices, although one should recognize that cybersecurity and privacy issues expand beyond mere compliance with mandatory laws and regulations into issues of best practices, reputational harm and customer relations as well.

One difficulty for large customer-service oriented organizations is that security and data privacy issues can impact many facets across the company (e.g., customer service, compliance, information technology, marketing, operations, supply chain, vendor management, etc.), making it difficult to hold one existing committee responsible for such broad and crosscutting issues. Creating a separate “cybersecurity,” “information protection” or similar committee could foster a crosscutting “big picture” approach to company-wide risk supported by various existing organizational areas. This demonstrates board commitment and involvement from a monitoring and reporting level, but also may ensure that senior management has the overall support and resources it needs to properly manage the associated risk.

Encourage a company-wide security and privacy culture

Data privacy and security involve more than funding IT security investments but also extend to the company’s culture and business practices. Many breaches may be accomplished by outside threats, “hacking” and piercing firewalls, but other security and privacy issues may arise from internal issues (e.g., misplaced laptops or disgruntled employees, former employees or vendors).

In addition to security issues, privacy issues can arise related to a company’s collection, use, storage and sharing of data. For example, say a company’s publicly available privacy policy promises not to use or share a customer’s personally identifiable information (PII) in a certain way or with third parties, and then discovers its research and development department has been using or sharing that PII in ways contrary to the policy. This could potentially impact the Federal Trade Commission’s (FTC) Section 5 authority against “unfair and deceptive” practices — see FTC security and privacy enforcement actions ranging from Sears (2009) to Snapchat (2014) — or state attorneys general or consumer protection state agency concern.

Boards can play an important role in facilitating and encouraging a culture that views security and privacy as business issues impacting all levels of the company and in emphasizing employee training and awareness. Boards can encourage the development of comprehensive policies, procedures and contractual protections that address not only data loss prevention in terms of identifying and protecting against risk but also data loss response. Response does not just involve restoring system integrity but also investigation, reporting and regular communication, internally and externally, upon discovery. Finally, the board should consider cyber insurance or review existing policies (both for the company and directors and officers insurance) to ensure they cover data breaches.

Conclusion

Boards cannot completely eliminate cybersecurity and privacy risk, but they can play an important role in managing such risk in ways that reduce the likelihood or extent of liability after a data breach or other incident. The considerations discussed above, in considering the proper degree and role of the board in managing cybersecurity risk for the company, should prove valuable in striking the right balance to fit a particular company’s needs and characteristics. By proactively addressing cybersecurity and privacy risk in a well-thought-out and informed manner, boards of directors will be better equipped to demonstrate good business judgment and fulfillment of their fiduciary duties once an incident occurs.

Brandon Robinson

Brandon N. Robinson, attorney at Balch & Bingham LLP, a corporate law firm with offices across the Southeast and in Washington D.C, is...